Twitter says accounts were not compromised despite hacker's claims

Share this article:
Officials with Twitter have confirmed that no accounts have been impacted following the incident.
Officials with Twitter have confirmed that no accounts have been impacted following the incident.

Is every Twitter account at risk of being compromised?

A hacker operating under the name “Mauritania Attacker” has claimed so – but even though he released purported account information for more than 15,000 users on Tuesday morning, officials with Twitter said the service was not affected.

The pro-Islam hacker, who takes his moniker from the West African Arab Maghreb country in which he is said to reside, posted the Twitter information – 15,167 accounts in total – to file-hosting website Zippyshare on Tuesday morning. He claims to have access to numerous more.

Each account on the list included Twitter nickname, numerical identification number and OAuth token and OAuth token secret exposed. Passwords were not compromised, but the OAuth information may be all a hacker needs to access a Twitter account.

OAuth is an open standard that allows services to interact with each other without needing to share all types of private information, such as usernames and passwords. Specifically on Twitter, “OAuth is an authentication protocol that allows users to approve [an] application to act on their behalf without sharing their password," according to the service.

But OAuth can be manipulated by the Firefox extension Tamper Data, “Mauritania Hacker” told Indian news site Techworm on Tuesday.

When used maliciously, Tamper Data allows users to meddle with data being sent back and forth between a client and server, according to a post by Andy O'Donnell, a senior security engineer and analyst. He said the extension can allow people to bypass restrictions built into websites or web applications.

O'Donnell did not immediately respond to an inquiry from SCMagazine.com on how a user could actually gain access to Twitter accounts using OAuth and Tamper Data, but Twitter representatives do not seem too concerned.

“We have investigated the situation and can confirm that no Twitter accounts were compromised,” a Twitter spokesperson told SCMagazine.com on Tuesday. "“We always recommend that users regularly review the third party apps that [they] have granted account access to, just as a general best practice. In this case, however, no one was able to gain access to any Twitter accounts."

OAuth, meanwhile, hadn't listed any security advisories on its website press time.

"The OAuth community is committed to identifying and addressing any security issues raised relating to the OAuth protocol and extensions," it said. "Any identified threat will be published on this page as soon as it is safe to do so. Due to the nature of many security threats, they cannot be disclosed before sufficient notice is given to vulnerable parties."

Coincidentally, nearly four months ago, security researcher Ryan Kelker contacted Twitter about being able to produce similar results by using an app he created himself. He based the app on TweetDeck, a thir- party social media dashboard for management of Twitter accounts.

Kelker posted his findings to Coderwall after a lack of response from Twitter, although SCMagazine.com could not confirm if his findings had any influence on “Mauritania Attacker.”

The hacker, according to a Reuters story in June, is responsible for coordinating groups of intruders whose goal is "defend Muslims by peaceful means."

In light of claims from the hacker, McAfee research head David Marcus took to Twitter on Tuesday and advised all users to change their Twitter passwords. “[G]reat point about changing logins while an attacker may still have access,” he responded to one user. “I say change now and [change again] post disclosure.”  

Alan Woodward, a security expert in the U.K,. suggested obtaining new OAuth tokens. He told GigaOM.com on Tuesday that Twitter users should “go in and revoke third party's apps rights and then just relogin when [or] if you want to reaccess Twitter via that app. This way a new token will be issued.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.